NIST Password Guidelines Change

By Colin Glover, Sera-Brynn Sr. Cybersecurity Analyst

The National Institute of Standards and Technology (NIST) recently updated their Digital Identity Guidelines, releasing NIST SP 800-63-3. This four-volume set, 800-63-3, 800-63A, 800-63B, and 800-63C, provide technical requirements for federal agencies implementing digital identity services. Of most importance to the DoD requirement for the protection of Covered Defense Information/Controlled Unclassified Information are the guidelines in 800-63B, Authentication and Lifecycle Management.

Of note, NIST has changed the password guidelines (Section 5.1.1). No longer are there complexity or arbitrary change requirements. The password should be between 8 and 64 characters and only changed if there is a suspected breach. Passwords must be checked against available compromised password lists before being accepted. A very robust compromised password list is available at An API service is available, There are certainly other, very good blacklists available, but the list above is certainly the most comprehensive.

Another significant change in 800-63B, especially in regards to those seeking compliance under DFARS 252.204-7012, is the update of approved types of Multifactor Authentication (MFA). In particular, certificates stored securely on an endpoint, i.e. desktop, laptop, may be used as the “something you have” portion of MFA (Section 5.1.8). According to 800-63B, “The key SHOULD be stored in suitably secure storage available to the authenticator application (e.g., keychain storage, TPM, TEE). The key SHALL be strongly protected against unauthorized disclosure by the use of access controls that limit access to the key to only those software components on the device requiring access. Multi-factor cryptographic software authenticators SHOULD discourage and SHALL NOT facilitate the cloning of the secret key onto multiple devices.“

The DRAFT NIST SP 800-53 rev 5 has incorporated the new password guidelines already and should be acceptable for DFARS 252.204-7012 compliance. The next version of NIST SP 800-171 almost certainly will include this guidance.

The DoD CIO’s office has stated that certificate based MFA is acceptable for compliance with the Multifactor Authentication requirements.

For additional information on Digital Identity Guidelines or DFARS 252.204-7012 compliance please contact Sera-Brynn at

Sera-Brynn, LLC, a FedRAMP-authorized assessor and cybersecurity audit and advisory firm based in Virginia, has audited and advised companies on the implementation of DFARS since its inception in 2013. Based on its work in the field, the firm urges companies to be alert to the deadline and to seek qualified assistance in identifying the scope of government data within their organization. Also important is building in sufficient time to develop and implement network segregation, multifactor authentication, endpoint encryption, continuous monitoring, insider threat training programs, and other plans that may be necessitated by DFARS.

For more information, visit

About Sera-Brynn

Sera-Brynn is a leading cybersecurity audit and advisory firm. The Virginia-based company offers threat management, compliance and risk assessment, risk control, and incident response services that enable clients to secure their computing environments and meet applicable and mandatory cybersecurity regulatory standards. This technical expertise is the backbone of their DFARS compliance services. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn is ranked #9 worldwide on the Cybersecurity 500 list.

About Colin Glover

As a Senior Security Analyst at Sera-Brynn, Colin provides risk management and compliance audits to clients across a wide variety of industries. He has over 15 years of experience in risk management, incident response, security policy, continuity planning, crisis communications, analysis, and collection. Prior to Sera-Brynn, Colin was a Counterintelligence Special Agent for the Defense Security Service focused on protecting technology and data within the Defense Industrial Base. Specifically, he sought to identify and protect against APT attacks directed at contractor networks. Amongst other certifications, he is a Certified Information Systems Security Professional. Colin holds a Bachelor of Science from Excelsior College and a Masters in Mechanical and Aerospace Engineering from the University of Virginia.

Media Contact: